The way I see it is this: ZPT has (amongst others) the very nice property that it's trivial to audit ZPT pages for non-quoted string output: just grep for 'structure'.
OTOH in DTML there's no way to do that, the default is unquoted output. &dtml-stuff; is a good step, but there's way too much code out there that doesn't take proper security precautions and is vulnerable to cross-site scripting attacks. The fact that namespaces are implicit and make it possible to get stuff from where we don't expect them doesn't help. We should always keep in mind the security debacle that PHP has become, because it didn't take proper precautions for quoting (reports on Bugtraq of XSS attacks in some PHP application practically every week). There's magic_quotes_gpc or magic_quotes_runtime that automatically quotes their equivalent of REQUEST or even any output from outside applications, but it's a PITA because it does too much and is often inconvenient, so a lot of users turn it off or forget to turn it on. And it's too much magic. The solution Martijn implemented has a number of nice properties, for instance protecting those that do <dtml-var foo>, and will only leave open the applications that really didn't take the most basic security precautions (unfortunately I'm sure there are some out there, doing stuff like <a href="<dtml-var "REQUEST.foo">"><dtml-var "REQUEST.footitle"></a>). So in a code audit all <dtml-var [expr=]"xxx"> should be suspect, and &dtml-.xxx; too. Florent -- Florent Guillaume, Nuxeo (Paris, France) +33 1 40 33 79 87 http://nuxeo.com mailto:[EMAIL PROTECTED] _______________________________________________ Zope-Dev maillist - [EMAIL PROTECTED] http://lists.zope.org/mailman/listinfo/zope-dev ** No cross posts or HTML encoding! ** (Related lists - http://lists.zope.org/mailman/listinfo/zope-announce http://lists.zope.org/mailman/listinfo/zope )
